-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a license in 'allow-dependencies-licenses' does not prevent it from being populated in "invalid-license-changes" #764
Comments
Hi @sreya, thanks for the report. At first glance, it looks like the problem is that some of these package-urls technically violate the spec so they aren't being parsed as one might expect. According to the purl-spec, the "name" segment must be a percent-encoded string. In your case, that means you should have:
where I think this will probably fix your issue. At the same time, I agree that this is kind of an annoying aspect of the purl spec, so I've also created #765 to make our parser a little more permissive. |
Hi @juxtin I'm still receiving an error when updating to your commit 🤔 . I even tried url encoding to no avail...here's the output/workflow file: dependency-license-review:
runs-on: ubuntu-latest
if: github.ref != 'refs/heads/main'
steps:
- name: "Checkout Repository"
uses: actions/checkout@v4
- name: "Dependency Review"
id: review
# TODO: Replace this with the latest release once https://github.com/actions/dependency-review-action/pull/761 is merged.
uses: actions/dependency-review-action@82ab8f69c78827a746628706b5d2c3f87231fd4c
with:
allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
allow-dependencies-licenses: "pkg:golang/github.com/pelletier/go-toml/v2,pkg:golang/gopkg.in/DataDog%2fdd-trace-go.v1@1.63.1"
license-check: true
vulnerability-check: false
- name: "Report"
# make sure this step runs even if the previous failed
if: always()
shell: bash
env:
VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
run: |
fields=( "unlicensed" "unresolved" "forbidden" )
for field in "${fields[@]}"; do
# Use jq to check if the array is not empty
if [[ $(echo "$VULNERABLE_CHANGES" | jq ".${field} | length") -ne 0 ]]; then
echo "$VULNERABLE_CHANGES" | jq
exit 1
fi
done
echo "No incompatible licenses detected" {
"unlicensed": [
{
"change_type": "added",
"manifest": "go.mod",
"ecosystem": "gomod",
"name": "gopkg.in/DataDog/dd-trace-go.v1",
"version": "1.63.1",
"package_url": "pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1",
"license": null,
"source_repository_url": null,
"scope": "runtime",
"vulnerabilities": []
}
],
"unresolved": [],
"forbidden": []
} |
Poking through the code, it looks like exclusions are processed by parsing the dependency-review-action/src/licenses.ts Line 48 in 339e2e1
In the above case, the package URL from gomod is Either way, I can't convince it to ignore packages, escaping the |
Hi @juxtin any update here? Mainly wondering if there's a workaround we can use |
Apologies everyone, it looks like we still have a discrepancy somewhere in how we represent or parse Go purls somewhere. We'll have to dig into this a bit more to narrow that down. |
Just an update I found another purl that doesn't appear to work:
Still returns an unknown
|
My expectation is that adding a license to
allow-dependencies-licenses
should prevent it from being populated in theinvalid-license-changes
output however that doesn't seem to be the case with the action below. Is this a bug or are my expectations for the output incorrect? If I misunderstood, how do I manually approve unlicensed packages so that they do not fail the jobThe text was updated successfully, but these errors were encountered: